We can never expect the cyberworld to go without security incidents. These incidents reinforce the importance of email protection and other cybersecurity services. The following are the top cyberattacks from the week gone by
BulletProof Services Conceal Magecart Attacks
Bulletproof hosting services have become the new favorite of Magecart attackers (known for launching web-based skimming attacks). Skimmers were seen hiding their JavaScript skimmers behind Media Land (a bulletproof hosting service) in the latest incident. In another incident, a person named Julio Jaime registered 240 domains on Media Land that were used in phishing campaigns targeting Microsoft Office 365 and bank users. He used two email addresses for registering the domains, one of which also hosted a skimmer called Grelos.
The Magecart ecosystem is thriving because of the services provided by these bulletproof hosting providers who continue to operate despite the cybersecurity measures adopted by law enforcement. Such bulletproof hosting services are likely to be used more rampantly in the coming days, and as such, using firewalls to blacklist such hosting services is recommended for organizations.
Credential Phishing Campaigns Misuse Google Forms
Cybersecurity researchers have discovered a breach where attackers use Google Forms with strategic keywords to go through email security services. The use of Google Forms for scams isn’t new and is routinely observed in credential phishing campaigns. The adversaries use this relatively common social engineering scheme to target victims from the healthcare, telecommunications, retail, manufacturing, and energy sectors.
Google Forms make it possible for the attackers to evade email filters. They use names of C-level executives from an organization in their emails that always seem to be urgent. It’s usually a “Quick Task” that the so-called executive seeks from his colleague as he is heading for a meeting. Such situations have been used before in credential phishing attacks, and they continue to be effective even today. The ‘quick task’ requires the recipient to click on a link, leading them to an untitled Google Form. Naturally, the recipient would get back to the C-level executive about the broken link, and that’s where the attackers win. Therefore, all businesses and individuals must consider adopting email security as a service and train employees on identifying the fake tone of urgency that comes ingrained with BEC scams.
Phishing Actors Accidently Upload Stolen Data
The adversaries have found a way to get through Microsoft Office 365 Advanced Threat Protection (ATP) and stole the credentials of more than 1000 corporate employees from mainly construction and energy companies. However, they committed an operation security failure because of which all stolen records were publicly available. This means that even Google could index the stolen credentials for opportunistic hackers to use easy Google searches to procure compromised user credentials.
The phishing campaign involved fake Xerox (or Xeros) scan notifications opening, which would require users to enter their Office 365 passwords on a phished Microsoft login page. Doesn’t reading about such phishing scams validate all those cybersecurity tools and tips on refraining from clicking on links embedded in emails, looking for spelling errors and typos, maintaining password hygiene, etc.?
Vulnerability In Video Conferencing Apps Lets Attackers Eavesdrop
Natalie Silvanovich – a security researcher from Google Project Zero, found vulnerabilities in the video conferencing feature of Facebook Messenger, Signal, JioChat, Google Duo, and Mocha messaging apps. The security flaw allowed the adversaries to listen to the callers’ surroundings until the callee answered the call. Although the vulnerability is now fixed, it compelled user devices to share audios with the attackers’ devices (without code execution) while it was active.
Cybersecurity can never be taken for granted – what should ideally have required the callee’s consent now happens without even establishing peer connection. Silvanovich reports that most of these flaws include logic vulnerabilities that do not wait for callee’s permission to transmit audio or video files to the caller.
Fake Job Offers On Linkedin Discovered
You might have heard about the fake Harvard University professorship offer letter that the Indian journalist Nidhi Razdan recently received. Now we have a similar LinkedIn fraud reported by videographer Luigi Benvisto. Benvisto received two job offers on LinkedIn from real HR employees from Decathlon and DB Schenker. The messages followed a similar trail and asked Benvisto to join the company for an interview and register himself on a portal and share his bank account details for payroll functions.
The impersonated recruiter also sent Benvsito a PDF containing the job description to increase credibility. However, he felt something amiss and contacted the concerned HR people on LinkedIn, only to find that the messages he received were indeed a scam! Since we have seen one instance of LinkedIn fraud now, in all likelihood, we should expect more such incidents in the coming days. Users are advised to report suspicious job offers, refrain from sharing personal details with such people and take ransomware protection seriously.
Bug Makes Private Youtube Playlist Public
Cybersecurity researcher David Schutz recently discovered a security bug on YouTube. The bug allows attackers to view the playlists, favorites, and history of users opening any YouTube video embedded in an external website. The embedded player feature of YouTube enables website developers to include YouTube videos on their site. It further allows users to get information about the player.
A threat actor may use this feature to embed YouTube videos into a malicious website, which would then be used to play the ‘HL,’ ‘WL’ or user’s other playlists. Such exploitation of the embedded player’s API enables attackers to view and steal users’ watch history. The bug may seem minor on the surface, but adversaries can use it to impersonate the user and load the private playlists into the player and steal their content.